On Mar 10, 2011 9:23 PM, "Reindl Harald" <h.rei...@thelounge.net> wrote: > > > > Am 10.03.2011 21:09, schrieb mos: > > At 12:37 PM 3/10/2011, Claudio Nanni wrote: > > > >> Hi there, > >> Yes I think its actually a pattern a few hundreds million sites solved already :) > > > > Great. How did they do it? :) > > > >> And any way to encrypt (scramble)the http get string would do. But my question is , are you afraid of sql injection? > > > > I'm using parameterized queries and validating user input so SQL injection shouldn't be a problem. > > I just don't want to give the hacker any more useful information than necessary. Let's say I have a Document_Id > > column and the url is > > www.mydocuments.com/public?docid=4 > > > > to retrieve document_id=4, I don't want someone to write a program to retrieve all of my public documents and > > download them. I want them to go through the user interface. > > The private documents of course need a user name and password to access them, but public documents do not require > > passwords. > > > > So hashing or encrypting the id column will make the id's non-contiguous and impossible to guess. > > sorry but this is foolish > leave the id in peace and add a colum with some checksum
Wordpress guys are also foolish? They do not even encrypt. And what's the difference between passing in a GET an encrypted Id or passing another column with a checksum deriving from the Id?